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1.  Summary 

Over  50  percent  of  the  integrated  circuits  (ICs)  designed  for  modern  U.S.  weapon  systems  are  commercial 
off  the  shelf  (COTS)  parts,  primarily  field  programmable  gate  arrays  (FPGAs),  and  are  mostly 
manufactured  outside  of  the  United  States.  These  parts  are  vulnerable  to  malicious  alterations  that  could 
be  inserted  during  the  manufacturing  process  and  remain  undetectable.  Such  malicious  alterations  could 
contain  hidden  back  doors  enabling  an  attacker  to  gain  control  of  the  system,  disable  networks,  leak 
confidential  information,  or  degrade  signal  integrity.  Most  malicious  attacks  are  performed  by 
understanding  the  functionality  of  the  ICs  themselves.  If  a  designer  is  able  to  conceal  the  functionality  of 
an  IC,  then  most  of  these  attacks  can  be  prevented.  A  technique  called  Logic  Encryption  has  been 
developed  to  harden  computer  circuitry  against  these  malicious  threats  by  hiding  the  functionality  of  a 
design.  The  functionality  of  a  design  will  be  concealed  until  it  is  configured  by  a  designer  after  fabrication 
and  all  critical  computing  components  are  under  custody  and  control  of  the  rightful  owner  of  the 
technology.  Logic  encryption  can  be  achieved  by  inserting  additional  gates  like  XORs  and/or  multiplexers 
such  that  correct  outputs  are  produced  only  when  specific  inputs  or  keys  are  applied  to  these  gates  after 
manufacturing.  In  the  technique  described  here,  logic  encryption  is  related  to  fault  analysis  in  IC  testing  to 
develop  an  effective  and  efficient  way  to  guide  the  insertion  of  key  gates.  This  method  is  process 
independent  and  can  yield  valuable  security  benefits  because  one  need  not  trust  the  fabrication,  test,  and 
other  third  party  participants  in  the  outsourced  fabrication  process  model.  Most  importantly,  this  work 
will  be  used  as  an  added  layer  of  security  to  complement  existing  software  and  network  security, 
especially  within  mission-critical  systems. 
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2.  Introduction 


Chip  design  is  becoming  increasingly  vulnerable  to  malicious  activities  and  alterations  as  fabrication 
foundries  continue  to  move  offshore.  This  trend  leads  to  IC  designs  that  are  susceptible  to  cloning, 
tampering,  and/or  reverse  engineering.  These  issues  have  raised  serious  concerns  for  the  assured  security 
of  integrated  circuits,  especially  those  employed  within  mission-critical  hardware  for  surveillance, 
communications,  and  weapons  operations.  Military  electronic  systems  require  a  high  level  of  confidence 
that  the  microprocessors  being  used  are  authentic  and  secured.  For  example,  a  custom  microprocessor 
design  can  be  easily  altered  to  operate  identically  to  the  genuine  device  [1].  Alterations  can  be  designed  to 
disable  the  system  intentionally  or  to  compromise  the  system  in  some  manner  to  leak  sensitive 
information  at  any  point  in  the  future. 

In  February  2008,  the  US  Department  of  Justice  announced  that  $78  million  US  dollars  worth  of 
counterfeit  Cisco  systems  were  imported  from  China  the  previous  year.  For  instance,  on  January  4th, 
2008,  two  individuals  faced  federal  charges  for  trafficking  counterfeit  Cisco  products.  The  traffickers 
imported  counterfeit  computer  network  hardware,  from  an  individual  in  China,  and  sold  it  to  retailers 
throughout  the  United  States.  They  also  shipped  counterfeit  products  directly  to  the  Marine  Corps,  Air 
Force,  Federal  Aviation  Administration,  defense  contractors,  Federal  Bureau  of  Investigation,  universities 
and  financial  institutions.  In  a  Business  Week  article  on  October  2nd,  2009,  Melissa  E.  Hathaway,  head  of 
cyber  security  for  the  Office  of  the  Director  of  National  Intelligence,  said  that  counterfeit  products  have 
been  linked  to  the  crash  of  mission-critical  networks,  and  may  also  contain  hidden  ‘back  doors’  enabling 
network  security  to  be  bypassed  and  sensitive  data  to  be  accessed.  The  US  Department  of  Defense  has 
recognized  the  potential  national  defense  vulnerabilities  caused  by  counterfeit  devices  within  military 
systems  [2]. 

In  the  Technology  Horizons  report  by  former  US  Air  Force  Chief  Scientist,  Dr.  Dahm,  it  is  stated  that  one 
of  the  technology-derived  challenges  to  Air  Force  capabilities  is  having  cyber  operations  in  un-trusted 
environments  in  both  software  and  hardware  [3].  This  is  because  most  providers  of  critical  computing 
equipment  and  infrastructure  for  cyber  systems  originate  from  multinational  foreign  based  manufacturing 
operations.  Thus,  the  ability  to  regulate,  supervise,  and  secure  any  manufacturing  processes  are  out  of  US 
control  and  jurisdiction  to  ensure  trust  and  integrity  of  the  computing  hardware  components.  In  addition, 
one  of  the  greatest  risks  to  national  security  is  the  loss  of  the  critical  hardware  containing  secured  and 
trusted  computing  architecture  designs  in  the  field.  If  critical  deployed  hardware  is  lost,  captured  and  no 
longer  under  US  control,  it  can  be  subject  to  reverse  engineering.  Therefore,  it  is  critical  to  develop 
secured  hardware  technologies  that  inherently  prevent  tampering  and  reverse  engineering.  This  research 
and  development  effort  describes  techniques  applied  to  IC  processor  designs  that  will  provide  the 
mechanisms  to  maintain  secure  data  integrity  and  information  assurance  for  Air  Force  information 
processing  and  computing  systems.  In  addition,  this  computing  architecture  can  provide  the  foundation 
for  future  trusted  designs  irrespective  of  fabrication  origin.  Thus,  it  will  eliminate  national  defense, 
information  and  cyber  security  risks  and  vulnerabilities  due  to  exposure  to  untrusted  semiconductor 
manufacturing  foundries. 


Approved  for  Public  Release;  Distribution  Unlimited. 
2 


3.  Technical  Background 

The  issue  of  hardware  trojans  and  solutions  to  this  problem  have  been  studied  extensively  in  recent  years. 
In  a  technique  called  state-based  obfuscation  proposed  by  Chakraborty  and  Bhunia  [4],  finite  state 
machines  (FSMs)  are  inserted  in  the  design  which  initially  locks  all  processor  functionality.  Then,  by 
using  a  secured  key,  the  design  can  be  unlocked  causing  the  processor  to  be  functional  once  again.  The 
output  of  this  FSM  is  connected  to  XOR  gates  with  a  few  selected  nodes  of  the  circuit. 

An  approach  proposed  by  Jarrod  Roy  [5]  is  based  on  using  XOR/XNOR  gate-based  obfuscation.  In  this 
technique,  a  node  within  the  circuit  or  net  is  selected  and  replaced  by  an  XOR/XNOR  gate.  One  of  the 
inputs  to  the  inserted  XOR/XNOR  gate  is  a  key  bit  while  the  other  is  the  original  signal  for  the  selected 
net.  The  XOR/XNOR  gates  act  as  buffers  with  the  correct  key  while  they  become  inverters  with  an 
incorrect  key.  In  addition,  a  chip  activation  protocol  is  implemented  based  on  public-key  cryptography  for 
strong  security  within  the  IP  holder  and  foundry. 

Finally,  memory  elements  such  as  LUTs  can  also  be  inserted  into  a  design.  For  example,  four  input  LUTs 
can  be  inserted  within  various  circuit  paths.  For  each  LUT,  one  input  is  selected  as  the  true  path  and  the 
other  inputs  are  chosen  to  process  random  paths.  Based  on  the  LUT  inputs,  the  output  is  selected  from  the 
contents  of  the  respective  LUT.  The  circuit  will  function  correctly  only  when  these  elements  are 
configured  or  programmed  correctly.  However,  this  approach  incurs  significant  performance  overhead. 


4.  Technical  Approaches 

The  objective  of  this  research  effort  is  to  develop  techniques  that  prevent  tampering  during  the  design  and 
manufacturing  process  of  computing  architectures.  The  resulting  methodology  will  protect  Air  Force 
information  computing  systems  hardware  for  air,  space,  and  cyberspace  computing  applications. 

4.1  Approach  Overview  and  Principles  of  IC  Testing 

In  XOR/XNOR  based  logic  encryption  [5],  gates  are  inserted  at  random  locations  in  a  design.  However, 
this  approach  does  not  guarantee  that  a  wrong  key  will  impact  the  output  as  its  effects  are  not  necessarily 
propagated  to  the  output.  This  is  similar  to  an  IC  testing  scenario  where  the  effect  of  a  fault  is  not 
guaranteed  to  propagate  to  the  output.  In  this  approach,  these  two  scenarios  are  related  and  ensure  that  the 
effect  of  using  incorrect  keys  always  propagates  to  the  outputs. 

Manufactured  ICs  may  contain  defects  for  a  variety  of  reasons  such  as  shrinking  technology  dimensions. 
Thus,  all  manufactured  ICs  have  to  be  tested  to  prevent  defective  chips  from  entering  the  supply  chain. 
During  IC  testing,  input  patterns  are  applied  to  an  IC  and  the  response  is  observed  at  the  outputs  [6].  If  the 
observed  response  is  different  from  the  correct  response,  that  IC  would  be  classified  as  faulty.  IC  testing 
is  enabled  by  modeling  the  defects  as  faults  and  designing  algorithms  to  determine  the  input  patterns  that 
excite  those  faults  and  propagate  their  impact  on  the  outputs.  Most  of  the  defects  can  be  modeled  as  either 
stuck-at-0  (s-a-0)  or  stuck-at-1  (s-a-1)  where  a  net  in  the  design  can  be  forced  to  either  logic  0  or  logic  1, 
respectively. 
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4.2.  Fault  Analysis  based  Logic  Encryption 

As  traditional  IC  testing  algorithms  analyze  the  effect  of  faults  in  a  circuit  and  provide  ways  to  propagate 
their  effects  to  the  circuit  output,  they  are  leveraged  here  to  perform  logic  encryption  to  guide  key  gate 
insertion  [10-13].  The  gates  inserted  during  encryption  are  called  key  gates  and  include  two  different 
types:  1)  XOR/XNOR  gates  and  2)  multiplexers. 

In  XOR/XNOR  based  encryption,  XOR/XNOR  gates  are  introduced  into  the  circuit  such  that  one  input  of 
the  inserted  gate  is  a  key  and  the  other  input  is  a  net  in  the  original  design,  referred  to  here  as  the  true  net. 
Based  on  the  key,  the  XOR/XNOR  gate  can  either  retain  the  true  signal  or  invert  it. 

In  multiplexer  based  logic  encryption,  multiplexers  are  inserted  such  that  one  input  of  the  multiplexer  will 
be  the  true  (original)  net  in  the  design.  The  other  input  of  the  multiplexer,  referred  as  the  false  input,  is 
another  net  in  the  design  and  the  select  line  of  the  multiplexer  is  connected  to  the  respective  key  bit.  On 
applying  the  correct  key  value,  the  true  net  is  selected,  retaining  the  correct  functionality  of  the  design, 
otherwise,  the  functionality  is  modified  by  selecting  the  incorrect  or  false  net. 

The  encryption  of  a  design  is  accomplished  in  such  a  way  that  any  incorrect  key  causes  an  incorrect 
output.  This  is  similar  to  the  situation  where  an  incorrect  output  is  produced  when  the  circuit  has  a  fault 
which  has  been  excited  and  propagated  to  the  outputs. 

4.2.1.  Fault  Excitation 

Application  of  an  incorrect  key  should  change  the  logic  value  at  the  place  where  the  corresponding  key 
gate  is  inserted.  Hence,  applying  an  incorrect  key  can  be  associated  with  the  activation  of  a  fault.  An 
example  of  a  circuit  with  an  excited  fault  can  be  seen  in  Figure  1 . 

4.2. 1.1.  Fault  Excitation:  XOR/XNOR  gates 

In  the  case  of  XOR/XNOR  gates,  fault  excitation  is  always  guaranteed  on  applying  an  incorrect  key  as  the 
true  signal  gets  inverted,  i.e.,  either  a  stuck-at-0  (s-a-0)  or  stuck-at-1  (s-a-1)  fault  will  be  excited.  Figure 
2(a)  is  a  circuit  encrypted  with  one  XOR  gate  (El).  If  an  incorrect  key  (Kl=l)  is  applied  to  the  circuit,  the 
value  of  net  B  is  the  negated  value  of  net  A.  This  is  the  same  as  exciting  a  s-a-0  when  A=1  or  s-a-1  when 
A=0  at  the  output  of  G7  as  shown  in  Figure  1 . 


Figure  1:  A  circuit  with  a  stuck-at-0  fault. 
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4.2. 1.2.  Fault  Excitation:  Multiplexers 

In  the  case  of  multiplexer  based  key  gates,  the  application  of  an  incorrect  key  causes  a  false  net  to  be 
selected  instead  of  the  true  net.  For  example,  Figure  2(b)  shows  a  circuit  encrypted  with  one  multiplexer. 
If  an  incorrect  key  (Kl=l)  is  applied  to  the  circuit,  the  value  of  net  Y  gets  the  false  value  of  the  net  F 
instead  of  the  true  value  of  the  net  T.  For  the  input  pattern  1X111,  the  values  on  T  and  F  are  1  and  0, 
respectively.  On  applying  an  incorrect  key  a  s-a-0  fault  is  excited  at  the  output  of  G7  shown  in  Figure  1. 

4.2.2.  Fault  Propagation 

Not  all  incorrect  keys  can  corrupt  the  output  as  the  effects  of  an  incorrect  key  may  be  blocked  for  some  of 
the  input  patterns.  This  is  similar  to  the  scenario  where  not  all  input  patterns  can  propagate  the  effect  of  an 
excited  fault  to  the  output. 

4.2.2. 1.  Fault  Propagation:  XOR/XNOR  gates 

Considering  the  circuit  in  Figure  2(a),  an  input  pattern  of  01 1 10  and  an  incorrect  key  (Kl=l)  leads  to  an 
output  of  1 1  which  is  the  same  as  the  correct  functional  output.  Thus,  the  output  is  correct  even  though 
the  s-a-0  fault  gets  excited  at  the  output  of  El. 

4.2.2.2.  Fault  Propagation:  Multiplexers 

Consider  the  circuit  with  multiplexer  based  logic  encryption  in  Figure  2(b).  The  input  pattern  OHIO 
excites  a  s-a-0  fault  at  the  output  of  G7.  However,  the  impact  of  the  fault  is  blocked  at  G10,  failing  to 
corrupt  the  output  02. 

To  propagate  the  effect  of  an  excited  fault,  non-controlling  values  should  be  applied  to  the  other  inputs  of 
the  gates  that  are  on  the  propagation  path  of  the  fault.  Since  not  all  input  patterns  guarantee  the  non¬ 
controlling  values  to  these  gates,  an  incorrect  key  will  not  always  corrupt  the  output. 


Figure  2:  (a)  A  circuit  encrypted  with  one  XOR  gate  and  (b)  a  circuit  with  one  multiplexer. 
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4.2.3.  Fault  Masking 

Inserting  a  single  key  gate  and  applying  an  incorrect  key  is  equivalent  to  exciting  a  single  stuck-at  fault. 
Inserting  multiple  key  gates  and  applying  incorrect  keys  is  equivalent  to  exciting  multiple  stuck-at  faults. 
However,  when  multiple  faults  are  excited,  some  excited  faults  might  mask  the  effect  of  others. 
Analogously,  in  logic  encryption,  when  multiple  key  gates  are  inserted,  the  effect  of  one  key  gate  might 
mask  the  effect  of  another. 

4.2.3. 1.  Fault  Masking:  XOR/XNOR  gates 

When  the  key  bits  (K1  and  K2)  are  00  for  the  circuit  shown  in  Figure  3(a),  the  correct  functional  output  is 
00  for  the  input  pattern  4 00000’.  However,  if  the  key  bits  are  1 1  (incorrect  key),  the  effect  introduced  by 
the  XOR  gate  El  is  masked  by  the  XOR  gate  E2,  and  the  circuit  still  produces  a  correct  output  at  02,  i.e., 
a  logic  0.  Thus,  similar  to  fault  masking,  the  effect  of  one  XOR  gate  can  be  masked  by  the  effect  of 
another  XOR  gate. 

4.2.3.2.  Fault  Masking:  Multiplexers 

When  the  key  bits  (K1  and  K2)  00  are  applied  to  the  circuit  shown  in  Figure  3(b),  the  correct  functional 
output  at  02  is  0  for  the  input  pattern  4 0X1 10’.  However,  if  the  key  bits  are  1 1  (incorrect  key),  the  effect 
introduced  by  the  multiplexer  El  is  masked  by  the  multiplexer  gate  E2,  and  produces  a  correct  output  at 
02,  i.e.,  a  logic  0.  Thus,  similar  to  fault  masking,  the  effect  of  one  multiplexer  can  be  masked  by  the 
effect  of  another  multiplexer. 

4.3.  Logic  Encryption 
4.3.1.  Hamming  Distance 

If  only  one  or  more  of  the  output  bits  are  wrong  and  the  other  output  bits  do  not  change  for  an  invalid  key, 
then  the  attacker  might  figure  out  the  functionality  using  the  unaffected  outputs.  If  all  outputs  are  affected, 
then  the  output  will  be  the  exact  complement  of  the  correct  output.  Thus,  an  attacker  may  relate  the 
outputs  to  the  inputs.  Ideally,  if  50%  of  the  output  bits  are  affected,  and  if  the  set  of  affected  outputs 
changes  from  one  pattern  to  the  other,  then  it  is  difficult  for  an  attacker  to  relate  the  outputs  and  determine 
the  functionality  of  the  design.  Hence,  50%  of  the  output  bits  should  be  affected  on  applying  an  invalid 


Figure  3:  (a)  A  circuit  encrypted  with  two  XOR  gate  (El  and  E2).  (b)  A  circuit  encrypted  with 
two  multiplexers  (El  and  E2). 
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key.  In  terms  of  fault  simulation,  this  problem  can  be  stated  as  finding  a  set  of  faults  which  together  will 
affect  50%  of  the  outputs. 

4.3.2.  Fault  Impact 

A  greedy  iterative  approach  is  used  to  insert  key  gates.  In  each  iteration,  the  fault  that  has  the  potential  of 
propagating  to  a  maximum  number  of  outputs  dictates  the  location  of  the  key  gate  to  be  inserted.  For 
every  iteration  (except  for  the  first),  the  key  gates  inserted  at  previous  iterations  are  provided  with  random 
incorrect  keys  thereby  emulating  a  multiple  stuck-at  fault  scenario,  and  accounting  for  the  previous  key 
gate  insertions.  To  insert  a  key  gate,  the  location  in  the  circuit  must  be  determined  where,  if  a  fault  occurs, 
it  can  affect  most  of  the  outputs  for  most  of  the  input  patterns.  Fault  impact  [13]  is  used  as  defined  by  the 
following  equation  to  identify  such  locations: 

Fault  Impact  =  (#  of  Test  Patternss.a.0  x  #  of  Outputss.a_0)  + 

(#  of  Test  Patternss_a_i  x  #  of  Output ss_a_i).  (1) 

For  any  input  pattern,  depending  upon  the  value  at  the  control  input  of  the  gate  either  a  s-a-0  or  s-a-1  fault 
will  be  excited  at  the  output  of  a  gate.  However,  the  effect  of  the  fault  will  be  observed  at  one  or  more 
outputs  for  only  some  of  the  input  patterns.  From  a  set  of  test  patterns,  the  number  of  patterns  that  detect 
the  s-a-0  fault  (#  Test  Patternss.a_0)  are  computed  for  every  net  and  the  cumulative  number  of  output  bits 
that  get  affected  by  that  s-a-0  fault  (#  Outputss_a_0).  Similarly,  for  s-a-1  faults  the  terms  #  Test  Patternss_a_i 
and  #  Outputss_a_i  are  computed.  The  net  with  the  highest  fault  impact  points  to  the  location  where  the  key 
gate  is  to  be  inserted. 

4.3.3.  Contradiction  Metric 

As  described  in  3. 2. 1.3.,  fault  excitation  in  multiplexer-based  encryption  will  happen  only  if  the  value  on 
the  true  net  is  different  from  the  value  on  the  false  net.  The  true  net  has  already  been  selected  based  on  the 
fault-impact  metric  described  in  3.3.2.  The  selection  of  the  false  net  is  done  based  on  another  metric,  the 
contradiction  metric  [13],  which  aims  at  maximizing  the  probabilities  of  having  complementary  values  on 
the  true  and  the  false  nets  to  select  the  best  false  net: 

Contradiction  Metric  =  (P0,  true  x  Pi,  faise)  +  (Pi,  true  x  P0,  false),  (2) 
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input:  Netlist 

output:  Netlist  with  key  gates 
for  /  < —  1  to  Key  Size  do 

foreach  gate  j  e  Netlist  do 

]  Compute  Fault  Impact  ( Test  Patterns ,  Random  Key); 

End 

Select  the  gate  with  the  highest  Fault  Impact; 

Insert  a  Multiplexer  and  update  the  Netlist; 

Increment  Key  Size; 

Calculate  the  Hamming  Distance  ( Test  Pattern ,  Random  Key)  between  the  obtained  output  and 

the  correct  functional  output; 

if  Hamming  Distance  ==  50%  then 
|  Terminate 

end 

if  Key  Size  ==  Max  Key  Size  then 
|  Terminate 

end 

end 

Algorithm  1:  A  fault  impact  based  algorithm  to  insert  key  gates  in  circuit  path. 

where  P0,  true  and  Pi,  true  are  the  probabilities  of  getting  a  0  and  1  on  the  true  net,  respectively,  while  P0,  false 
and  Pi,  faise  are  the  probabilities  of  getting  a  0  and  1  on  the  false  net,  respectively. 

It  is  also  worth  noting  that  false  net  selection  should  avoid  combinational  loops.  For  the  multiplexer- 
based  encryption,  a  false  net  is  selected  based  on  the  conditional  probability  with  respect  to  the  values  on 
a  true  net. 

5.  Simulation  Results 

The  proposed  technique  is  evaluated  using  the  ISCAS-85  combinational  logic  benchmark  circuits  [7].  The 
HOPE  fault  simulation  tool  [8]  was  used  to  calculate  the  fault  impact  of  each  net  in  a  given  circuit  where 
1000  random  input  patterns  were  applied  to  a  netlist  to  observe  the  outputs  of  the  unencrypted  circuit.  The 
fault  impact  was  calculated  for  all  possible  stuck-at  faults  in  each  circuit.  In  multiplexer-based  encryption, 
after  selecting  a  true  net,  the  contradiction  metric  was  calculated  for  all  possible  nets  and  the  net  with  the 
highest  contradiction  metric  was  selected  as  the  false  path.  Valid  and  random  incorrect  keys  were  applied 
to  an  encrypted  netlist  and  determined  the  Hamming  distance  between  the  corresponding  outputs. 

Figures  4(a)  and  4(b)  show  the  Hamming  distance  for  XOR/XNOR-based  and  multiplexer-based 
encryption  schemes,  respectively.  The  proposed  XOR/XNOR-based  and  MUX-based  insertions  achieved 
50%  Hamming  distance  for  most  of  the  benchmarks  as  the  algorithm  takes  the  fault  propagation  and 
masking  effects  into  account.  In  these  types  of  encryption,  a  fault  is  always  excited  on  applying  an 
incorrect  key. 
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Hamming  Distance  for  Xor-based  Logic  Encryption 


(a) 


Hamming  Distance  for  Mux-based  Logic  Encryption 


(b) 

Figure  4:  Hamming  distance  between  the  outputs  on  applying  a  correct  key  and  an 
incorrect  key  for  different  ISCAS-85  benchmark  circuits,  (a)  XOR/XNOR-based 
encryption,  (b)  multiplexer-based  encryption. 


Table  I  shows  the  number  of  key  gates  required  to  achieve  50%  Hamming  distance  between  the  correct 
and  the  incorrect  output  in  XOR/XNOR-based  and  MUX-based  encryptions  for  some  of  the  ISCAS-85 
benchmark  circuits.  It  can  be  inferred  that  the  50%  Hamming  distance  objective  can  be  achieved  by 
inserting  tens  of  XOR/XNOR  gates  in  a  design  with  a  few  thousand  gates.  This  leads  to  low  area 
overhead  encryption.  Such  an  effect  is  achieved  because  the  technique  identifies  effective  locations  to 
insert  the  gates  based  on  excitation,  propagation,  and  masking  principles  from  IC  testing. 
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6.  Demonstrations 


Logic  Encryption  (LE)  hides  the  functionality  of  the  design  through  the  process  of  adding  additional  gates 
to  the  original  design  [8].  These  gates  will  act  at  keys,  upon  which  a  correct  set  of  keys  will  allow  the 
encrypted  design  to  function  correctly  and  an  incorrect  set  of  keys  will  produce  incorrect  functionality, 
i.e.  wrong  outputs.  In  this  project,  four  versions  of  logic  encryption  were  implemented  for  evaluation: 
combinational  XOR,  combinational  MUX,  sequential  XOR,  and  sequential  MUX.  The  designs  were 
synthesized  and  loaded  onto  an  FPGA  and  the  results  of  the  outputs  verified  via  the  RS232  port. 

The  top-level  diagram  is  shown  in  Figure  5.  The  RS232  module  serves  as  the  communication  channel 
between  the  encrypted  design  and  the  user.  Therefore,  the  user  can  interact  with  the  design  through  any 
serial  terminal  program.  The  controller  is  a  finite-state  machine  that  will  handle  how  the  data  is  loaded 
into  each  module.  The  buffer  will  store  the  data  until  it  is  ready  to  be  sent  to  either  the  RS232  or  the 
encrypted  module.  The  designs  were  implemented  on  a  Digilent  Atlys  FPGA  board  and  used  the  program 
Terminal  [15]  for  the  RS232  communication.  The  design  was  synthesized  using  Xilinx  ISE  Webpack  and 
the  bit  file  was  downloaded  using  Digilent  Adept. 


Figure  5:  Top-level  design  for  Fogic  Encryption. 


6.1.  Logic  Encryption  Implementation  of  AES 

The  Advanced  Encryption  Standard  (AES)  algorithm  is  a  block  cipher  that  operates  on  data  in  blocks  of 
128-bits  using  a  key  size  of  128,  192,  or  256-bits  [9].  Unlike  its  predecessor  Data  Encryption  Standard 
(DES)  which  operates  on  a  Feistel  network,  the  AES  algorithm  works  on  a  substitution  permutation 
network  using  a  4x4  byte  state  matrix.  There  are  four  major  operations:  SubBytes,  ShiftRows, 
MixColumns,  and  AddRoundKey  each  of  which  will  modify  the  state  matrix.  Before  the  four  major 
operations  are  performed,  an  initial  RoundKey  operation  is  added.  These  four  operations  will  be  looped  a 
certain  number  of  times  depending  on  the  key  size  used. 
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TABLE  1:  Number  of  key  gates  required  to  achieve  50%  Hamming  distance  between  the 
correct  and  the  incorrect  output  in  (a)  XOR/XNOR-based  encryption  and  (b)  MUX-based 
encryption  for  some  of  the  ISCAS-85  benchmark  circuits. 


#  of  key  gates 

Benchmark 

(a)  XOR 

(b)  MUX 

C17 

2 

18 

C432 

26 

66 

C499 

38 

210 

C880 

125 

207 

Cl  355 

160 

200 

Cl  908 

61 

194 

C3540 

170 

197 

C5315 

212 

209* 

C6288 

33 

82 

C7552 

251 

225* 

*  For  the  multiplexer  case,  circuits  C5315  and  C7552  do  not  achieve  50%  Hamming  distance.  The  #  of  key 
gates  listed  for  these  two  cases  is  for  the  maximum  Hamming  distance  possible. 

An  Advanced  Encryption  Standard  (AES)  circuit  [9]  was  implemented  and  the  encrypted  design  was 
implemented  on  an  FPGA.  The  AES  circuit  will  perform  the  encryption  correctly  only  when  the  correct 
key  is  applied  to  the  circuit. 

6.1.1.  AES  Algorithm  Details 

The  SubBytes  operation  is  a  substitution  transformation  that  performs  a  mapping  of  the  state  matrix  with 
the  S-Box.  The  resulting  state  matrix  provides  non-linearity.  For  example,  if  Statelt  =  [ DF ]  then  the 
new  Statexx  —  [9  E], 

The  ShiftRows  operation  moves  the  state  matrix  by  a  certain  number  of  offset  bytes.  The  first  row  of  the 
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Figure  6:  S-Box  [7]. 
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Figure  7:  ShiftRows  [7]. 

state  matrix  is  not  shifted  and  remains  constant.  The  second,  third,  and  fourth  rows  are  cyclically  shifted 
by  increments  of  one,  i.e.,  the  second  row  is  shifted  by  1,  the  third  row  is  shifted  by  2,  and  the  fourth  row 
is  shifted  by  3. 


The  MixColumns  operation  performs  a  column  by  column  multiplication  with  a  constant  matrix.  The 
addition  and  multiplication  of  the  matrix  is  performed  over  a  Galois  Field  (GF)  of  28.  This  means  that 
unlike  traditional  arithmetic,  the  addition  in  GF(28)  will  be  an  XOR  operation.  The  multiplication 
operation  is  similar  to  normal  arithmetic.  Here,  if  the  state  value  is  greater  than  0x80,  the  process  is  to 
left-shift  by  1  and  then  XORed  with  Ox  lb  to  prevent  overflow  in  the  Galois  field.  If  the  state  value  is  less 
than  0x80,  a  left-shift  by  1  is  performed  as  this  is  the  same  as  multiplying  by  2. 


The  AddRoundKey  operation  is  an  XOR  operation  between  the  RoundKey  and  the  state  matrix. 


6.1.2.  Design 

Logic  Encryption  hides  the  functionality  of  the  AES  design  by  adding  additional  gates  into  the  original 
design.  In  this  project  logic  encryption  was  implemented  for  the  S-Box  portion  of  the  AES  code  as  shown 
in  Figure  9.  This  was  done  mainly  because  the  Verilog  code  for  the  S-Box  consists  of  combinational 
circuits  only.  The  S-Box  was  encrypted  with  the  secret  key  set  to  all  zero,  for  the  sake  of  simplicity.  The 
design  then  was  synthesized  with  Xilinx  ISE  and  downloaded  to  an  Atlys  FPGA  board. 

6.1.3.  Simulation 

Two  different  simulations  of  the  AES  code  were  performed  using  Xilinx  iSim.  At  first,  the  AES  code  was 
simulated  without  logic  encryption  with  the  simulation  result  shown  in  Figure  10.  Logic  encryption  with 
XOR  gates  was  performed  in  the  S-Box  and  the  results  with  a  correct  key  and  incorrect  key  are  shown  in 
Figures  11  and  12,  respectively.  In  Figure  12,  one  bit  of  the  LE  key  has  been  changed  from  the  one  in 
Figure  1 1  to  produce  an  incorrect  key.  As  a  result,  an  avalanche  effect  is  observed  for  the  incorrect  output 
of  the  AES  ciphertext.  In  other  words,  after  changing  only  one  key  bit  more  than  half  of  the  output  bits 
are  impacted. 
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Figure  8:  MixColumns  matrix  multiplication  [7]. 
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Plain  Text 


LE  Key 


t 


CipherText 

- > 


AES  Key 

Figure  9:  Encrypted  S-Box  with  keys. 


Plaintext : 

AES  key: 

Correct  LE  key: 
Correct  Ciphertext : 
Incorrect  LE  key: 
Incorrect  Ciphertext : 


0x001122334455 6677 88 99aabbccddeeff 
0x000102 0304 050 607 080 90a0b0c0d0e0f 
0x00000000000000000000000000000000 
0x6  9c4e0d8  6a7b0430d8cdb7  8  07  0b4c55a 
0x00000000000000000000000000000001 
Oxccbcf 3b 4ea75clbf 2e0ee ccaf 0513259 


6.2.  A  Multiplier  using  Logic  Encryption 

The  16x16  Multiplier  is  also  known  as  the  C6288  ISCAS-85  benchmark  circuit.  It  consists  of  2416  gates 
forming  240  full  and  half  adders  using  a  15x16  matrix  arrangement  [11].  The  multiplier  takes  in  two  16- 
bit  inputs  and  outputs  a  32-bit  product. 

6.2.1.  Design 

Similar  to  the  AES  design,  the  multiplier  circuit  is  encrypted  with  the  mux-based  logic  encryption  and 
implemented  on  an  FPGA  board  with  RS232  module  to  allow  for  user  interaction. 


6.2.2.  Simulation 

Two  models,  one  with  logic  encryption  and  one  without  logic  encryption  are  simulated  using  Xilinx  iSim. 
The  two  operands  are  4660  (0x1234)  and  22136  (0x5678).  The  LE  key  use  for  logic  encryption  is  set  to 
all  zero.  Using  a  calculator  it  is  easy  to  verify  that  4660  *  22136  is  103153760  (0x6260060)  and  the 
results  agree  with  Figures  14  and  15.  In  Figure  16,  1-bit  in  the  LE  key  was  changed  to  generate  an 
incorrect  key  and  the  new  result  becomes  26804320  (0x1990060),  which  is  not  the  correct  answer. 


Figure  10:  AES  without  encryption. 
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Figure  11:  AES  with  encryption  (Correct  Key). 


Figure  12:  AES  with  encryption  (Incorrect  Key). 
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Figure  13:  ISCAS-85  C6288  circuit  [11]. 
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Figure  14:  Multiplier  without  encryption. 


figure  15:  Multiplier  with  correct  key. 
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figure  16:  Multiplier  with  incorrect  key. 

6.3.  Grain  using  Sequential  XOR  Logic  Encryption 

Cryptographic  algorithms  are  a  key  feature  in  secure  and  trusted  hardware  design.  The  overhead  and 
resource  usage  of  these  algorithms  are  typically  minimal  due  to  the  size  of  the  overall  design.  However, 
for  applications  that  required  low  memory  and  power  usage  such  as  an  RFID  tag,  this  may  be  difficult  to 
achieve  by  using  traditional  block  cipher  algorithms.  Grain  is  a  stream  cipher  that  is  designed  for  low 
power  and  low  resource  count.  As  a  part  of  the  eSTREAM  project,  Grain  was  chosen  because  of  its 
simplistic  design  with  two  shift  registers,  one  linear  and  one  non  linear,  and  can  support  a  key  size  of  128 
bits  and  an  IV  size  of  96  bits.  An  overview  of  the  Grain  structure  is  shown  in  Figure  17;  NFSR  and  LFSR 
are  non-linear  and  linear  shift  registers,  respectively.  Functions  g(x),  f(x),  and  h(x)  are  polynomial.  More 
detail  specification  can  be  found  in  the  work  of  Hell  et  al.  [12,16], 


Figure  17:  Grain  Stream  Cipher  [10]. 


6.3.1.  Design 


In  previous  logic  encryption  designs  only  the  combinational  portion  of  the  design  is  encrypted. 
This  does  not  give  many  options  for  designs  that  heavily  depend  on  sequential  circuit  elements. 
In  sequential  LE,  it  is  important  to  take  into  account  how  the  fault  impact  metric  will  affect  the 
gates  with  sequential  elements  in  the  path.  Once  this  has  been  determined,  the  encryption  is 
performed  in  the  same  process  as  used  for  the  combinational  XOR  approach.  The  Grain  VHDL 
code  was  obtained  from  [13]  and  implemented  in  the  same  fashion  as  shown  in  Figure  5. 
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6.3.2.  Simulation 


Similar  to  the  combinational  XOR  simulation,  two  versions  of  Grain  were  simulated.  The  Grain  test 
vectors  are  obtained  from  [12].  Since  Grain  is  a  stream  cipher,  it  will  output  the  key  stream  of  one  bit 
every  clock  cycle.  Therefore,  a  shift  register  was  included  to  store  64bits  at  any  point  in  time.  The  LE  key 
for  this  design  was  set  to  0xll22334455667788aabbccddeeff0000  as  shown  in  Figure  19  and  denoted  as 
the  obf_key  signal. 


Grain  Key: 

Grain  IV: 

Correct  LE  key: 
Correct  keystream : 
Incorrect  LE  key: 
Incorrect  keystream : 


0x00000000000000000000 

0x0000000000000000 

0x1122334455 6677 88aabbccddeeff 0000 
0x7b978cf36846e5f4ee0b 
0x1122334455 6677 88aabbccddeeff 0001 
0x9f 58bbe3d72d8abed72d 


Figure  18:  Grain  without  encryption. 


Figure  19:  Grain  with  correct  key. 
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Figure  20:  Grain  with  incorrect  key. 


6.4.  CRC  using  Sequential  MUX  Logic  Encryption 

Cyclic  redundancy  check  (CRC)  is  an  error  detecting  code  used  to  determine  the  data  integrity  of  a  digital 
transmission.  It  has  been  implemented  in  various  communication  protocols  such  as  TCP/IP,  USB,  and 
GSM  networks.  Since  the  computation  of  CRC  is  done  through  a  polynomial  division  using  modulo  two, 
it  is  easy  to  implement  this  in  hardware  using  shift  registers. 

6.4.1.  Design 

The  CRC  implementation  for  USB  token  protocol  was  chosen  was  the  main  candidate.  The  VHDL  source 
code  was  generated  from  [14]  using  the  standard  CRC5  which  has  a  polynomial  of  xA5  +  xA2  +  1.  The 
CRC  design  then  was  encryption  with  the  mux-based  LE. 

6.4.2.  Simulation 

Two  versions  of  the  CRC5  were  simulated.  As  shown  in  Figure  21,  for  input  data  of  0x1234578,  the  CRC 
checksum  is  Ox  la.  In  the  logic-encrypted  design  with  a  LE  key  of  0x4a6f7921  the  output  matches  the 
original  design  (Figure  22).  However,  when  an  incorrect  LE  key  is  supplied  the  design  will  become 
unstable  and  an  incorrect  output  results  (Figure  23). 


Figure  21:  CRC5  without  encryption. 
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Figure  22:  CRC5  with  correct  key. 


Figure  23:  CRC5  with  incorrect  key. 


7.  Conclusion 

Fault  analysis  based  logic  encryption  with  XOR/XNOR  gates  achieves  50%  Hamming  distance  between 
the  correct  and  the  corresponding  wrong  outputs  when  an  invalid  key  is  applied  to  the  design.  To  improve 
the  Hamming  distance  of  multiplexer-based  encryption,  one  can  select  the  false  net  based  on  the 
conditional  probability  with  respect  to  the  values  on  the  true  net  as  opposed  to  the  absolute  probability. 
Alternatively,  the  fault  analysis  technique  can  be  employed  to  guide  the  selection  of  false  nets.  Logic 
encryption  can  also  be  performed  using  a  fault  simulator  that  supports  multiple  stuck-at  fault  models  to 
account  for  fault  masking  effects.  Even  though  in  this  work  the  approach  for  encrypting  combinational 
designs  has  been  effectively  demonstrated,  one  can  also  extend  it  to  encrypt  sequential  designs.  In 
addition,  several  logic  circuits  were  implemented  using  logic  encryption  as  proofs-of-concept  with  each 
design  placed  the  on  an  FPGA  board  to  verify  the  results  of  the  outputs. 
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